OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [security-services] Smart Browser

> The browser protocols that we have are the "one-time" 
> artifact and possibly Shibboleth.

Shibboleth will be using the POST profile, which is part of SAML, so I
wouldn't say we're adding anything to this issue.

> I don't believe that a 
> thorough cryptanalysis has been performed on the "one-time" 
> artifact and thus I don't feel comfortable with proposing it 
> as a security profile for SAML.

I'm not sure anything formal exists, but the vulnerabilities of
browser-transported credentials are pretty well-known at this point, I
think. In general, you limit the window, target the credential, and make
it hard to forge; that's the best you can do.

> I think that Shibboleth is 
> an excellent approach but it doesn't seem to cover the 
> general browser case that SAML is trying to address, i.e. its scope
> is narrower than SAML's in some respects.

It is narrower in some senses, but not in this one. It needs the same
features SAML's web browser profile needs, so we adopted it in the
interest of compatibility. We're not planning on using the artifact, but
the exposures are pretty much the same with POST.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC